artif: new artifacts

tclahr · May 21, 2024 · 801a04c · 801a04c
1 parent c636c4b
commit 801a04c
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -26,4 +26,10 @@
 - live_response/packages/pkg.yaml: Updated collection support for information about installed packages [solaris] (by [sec-hbaer](https://github.com/sec-hbaer)).
 - live_response/packages/xbps.yaml: Added collection support for packages installed through XBPS package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
 - live_response/packages/yay.yaml: Added collection support for packages installed through Yay [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
+- live_response/process/procfs_information.yaml: Added collection support for entries corresponding to memory-mapped files [linux].
+- live_response/process/procfs_information.yaml: Added collection support for listing the contents of /proc/modules [linux].
+- live_response/process/procfs_information.yaml: Added collection support for listing Unix sockets [linux].
+- live_response/system/ebpf.yaml: Added collection support for listing pinned eBPF progs [linux].
+- live_response/system/kernel_modules.yaml: Added collection support for listing available parameters per kernel module [linux].
+- live_response/system/kernel_modules.yaml: Added collection support for listing loaded kernel modules to compare with /proc/modules [linux].
 - live_response/system/modinfo.yaml: Added collection support for information about loaded kernel modules [linux, solaris] (by [sanderu](https://github.com/sanderu)).
diff --git a/artifacts/live_response/process/procfs_information.yaml b/artifacts/live_response/process/procfs_information.yaml
@@ -1,4 +1,4 @@
-version: 1.0
+version: 2.0
 artifacts:
   -
     description: Collect current running processes information.
@@ -42,6 +42,12 @@ artifacts:
     collector: command
     command: ls -l /proc/[0-9]*/cwd
     output_file: ls_-l_proc_pid_cwd.txt
+  -
+    description: Display the list of all modules loaded into the kernel.
+    supported_os: [linux]
+    collector: command
+    command: cat /proc/modules
+    output_file: cat_proc_modules.txt
   -
     description: Collect the command name associated with a process.
     supported_os: [android, linux]
@@ -98,6 +104,14 @@ artifacts:
     command: ls -la /proc/%line%/fd
     output_directory: proc/%line%
     output_file: fd.txt
+  -
+    description: Collect information about entries corresponding to memory-mapped files.
+    supported_os: [linux]
+    collector: command
+    foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+    command: ls -la /proc/%line%/map_files
+    output_directory: proc/%line%
+    output_file: map_files.txt
   -
     description: Collect the initial process' stack trace.
     supported_os: [android, linux]
@@ -114,6 +128,14 @@ artifacts:
     command: cat /proc/%line%/status
     output_directory: proc/%line%
     output_file: status.txt
+  -
+    description: Display the list of UNIX sockets.
+    supported_os: [linux]
+    collector: command
+    foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+    command: cat /proc/%line%/net/unix
+    output_directory: proc/%line%/net
+    output_file: unix.txt
   -
     description: Collect running process information.
     supported_os: [aix, solaris]
@@ -137,4 +159,7 @@ artifacts:
     foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
     command: procfiles -n -c %line%
     output_directory: proc/%line%
-    output_file: procfiles.txt
+    output_file: procfiles.txt
+
+# References:
+# https://www.defensive-security.com/storage/uploads/Advanced%20Linux%20Detection%20and%20Forensics%20Cheatsheet%20by%20Defensive%20Security.pdf
diff --git a/artifacts/live_response/system/ebpf.yaml b/artifacts/live_response/system/ebpf.yaml
@@ -0,0 +1,11 @@
+version: 1.0
+artifacts:
+  -
+    description: List pinned eBPF progs.
+    supported_os: [linux]
+    collector: command
+    command: ls -la /sys/fs/bpf
+    output_file: ls_-la_sys_fs_bpf.txt
+
+# References:
+# https://www.defensive-security.com/storage/uploads/Advanced%20Linux%20Detection%20and%20Forensics%20Cheatsheet%20by%20Defensive%20Security.pdf
diff --git a/artifacts/live_response/system/kernel_modules.yaml b/artifacts/live_response/system/kernel_modules.yaml
@@ -0,0 +1,19 @@
+version: 1.0
+artifacts:
+  -
+    description: Display the loaded kernel modules (compare with /proc/modules).
+    supported_os: [linux]
+    collector: command
+    command: ls -la /sys/module
+    output_file: ls_-la_sys_module.txt
+  -
+    description: Display available parameters per kernel module.
+    supported_os: [linux]
+    collector: command
+    foreach: for module in /sys/module/* ; do echo ${module} | sed -e 's:/sys/module/::'; done
+    command: ls -la /sys/module/%line%/parameters
+    output_directory: module/%line%
+    output_file: parameters.txt
+
+# References:
+# https://www.defensive-security.com/storage/uploads/Advanced%20Linux%20Detection%20and%20Forensics%20Cheatsheet%20by%20Defensive%20Security.pdf